Bug 1771946 - glibc-2.30.9000-18.fc32: Login fails with a seccomp denial on clock_nanosleep() syscall: ANOM_ABEND exe="/usr/sbin/sshd" sig=31 res=1
Summary: glibc-2.30.9000-18.fc32: Login fails with a seccomp denial on clock_nanosleep...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1773912 1775533 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-13 10:04 UTC by Petr Pisar
Modified: 2020-02-03 14:06 UTC (History)
11 users (show)

Fixed In Version: openssh-8.1p1-2.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-14 08:37:53 UTC
Type: Bug

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 3093 0 None None None 2019-11-13 12:07:14 UTC

Description Petr Pisar 2019-11-13 10:04:29 UTC 
After updating glibc from 2.30.9000-17.fc32 to 2.30.9000-18.fc32 I cannot log in via SSH to the machine. An Audit log contains:

Nov 13 10:53:23 fedora-32 audit[4230]: SECCOMP auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=230 compat=0 ip=0x7f5e6aafa55e code=0x0
Nov 13 10:53:23 fedora-32 kernel: audit: type=1326 audit(1573638803.809:210): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=230 compat=0 ip=0x7f5e6aafa55e code=0x0
Nov 13 10:53:23 fedora-32 audit[4230]: ANOM_ABEND auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 res=1
Nov 13 10:53:23 fedora-32 kernel: audit: type=1701 audit(1573638803.809:211): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 res=1
Nov 13 10:53:23 fedora-32 kernel: audit: type=1109 audit(1573638803.811:212): pid=4229 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=2620:52:0:2b02:1aa9:5ff:feb6:209b addr=2620:52:0:2b02:1aa9:5ff:feb6:209b terminal=ssh res=failed'

syscall 230 is clock_nanosleep(). ANOM_ABEND means a process received a fatal signal. Signal 31 is SIGSYS.

These glibc RPM changelog entries look suspicious:

- nptl: Move nanosleep implementation to libc
- Refactor nanosleep in terms of clock_nanosleep

I believe sshd needs to update its seccomp policy to allow clock_nanosleep(2) syscall to work with recent glibc correctly.
Comment 1 Petr Pisar 2019-11-13 10:06:04 UTC 
I have openssh-server-8.1p1-1.fc32.x86_64.
Comment 2 Jakub Jelen 2019-11-13 12:07:15 UTC 
Thank you for the report. Can you try the following scratch build whether it addresses the issue:

https://koji.fedoraproject.org/koji/taskinfo?taskID=38964144

(added the clock_nanosleep() to the seccomp whitelist)
Comment 3 Petr Pisar 2019-11-14 07:11:36 UTC 
I confirm the scratch build fixes the issue for me.
Comment 4 Jakub Jelen 2019-11-14 08:25:28 UTC 
Thank you for verifying the fix. I will push the rawhide update now.
Comment 5 Florian Weimer 2019-11-19 11:16:20 UTC 
*** Bug 1773912 has been marked as a duplicate of this bug. ***
Comment 6 Jakub Jelen 2019-11-22 09:09:29 UTC 
*** Bug 1775533 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.